From 9ce54d5860346632b15b3b64fed3c2b60b7e7acf Mon Sep 17 00:00:00 2001
From: Christian Schwede <christian.schwede@enovance.com>
Date: Fri, 25 Oct 2013 08:59:37 +0200
Subject: [PATCH] Prevent early auth deny in tempauth when using swift3
 middleware.

When tempauth is used together with swift3 and keystone, groups are
empty and tempauth denies the request too early without a chance for
keystone to authenticate the request.

Change-Id: I21d9b22ecbd18a5f1fba901abd94221a332c45ea
Closes-Bug: 1244545
---
 swift/common/middleware/tempauth.py          |  2 +-
 test/unit/common/middleware/test_tempauth.py | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/swift/common/middleware/tempauth.py b/swift/common/middleware/tempauth.py
index 4600e5c7dd..76fae5ce3b 100644
--- a/swift/common/middleware/tempauth.py
+++ b/swift/common/middleware/tempauth.py
@@ -152,7 +152,7 @@ class TempAuth(object):
                     env['reseller_request'] = True
             else:
                 # Unauthorized token
-                if self.reseller_prefix:
+                if self.reseller_prefix and not s3:
                     # Because I know I'm the definitive auth for this token, I
                     # can deny it outright.
                     self.logger.increment('unauthorized')
diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py
index eaffa39ff0..0d74edb8dc 100644
--- a/test/unit/common/middleware/test_tempauth.py
+++ b/test/unit/common/middleware/test_tempauth.py
@@ -226,6 +226,22 @@ class TestAuth(unittest.TestCase):
         self.assertEquals(req.environ['swift.authorize'],
                           local_auth.denied_response)
 
+    def test_auth_reseller_prefix_with_s3_deny(self):
+        # Ensures that when we have a reseller prefix and using a middleware
+        # relying on Http-Authorization (for example swift3), we don't deny a
+        # request outright but set up a denial swift.authorize and pass the
+        # request on down the chain.
+        local_app = FakeApp()
+        local_auth = auth.filter_factory({'reseller_prefix': 'PRE'})(local_app)
+        req = self._make_request('/v1/account',
+                                 headers={'X-Auth-Token': 't',
+                                          'Authorization': 'AWS user:pw'})
+        resp = req.get_response(local_auth)
+        self.assertEquals(resp.status_int, 401)
+        self.assertEquals(local_app.calls, 1)
+        self.assertEquals(req.environ['swift.authorize'],
+                          local_auth.denied_response)
+
     def test_auth_no_reseller_prefix_no_token(self):
         # Check that normally we set up a call back to our authorize.
         local_auth = \